If we allow JAR (JWT Secured Authorization Request) to relax the
requirement of `response_type` request parameter (outside a request object)
from mandatory to optional, should we relax the following requirement of
`scope` request parameter stated in OIDC Core 1.0 Section 6.1, too?

----------
Even if a scope parameter is present in the Request Object value, a scope
parameter MUST always be passed using the OAuth 2.0 request syntax
containing the openid scope value to indicate to the underlying OAuth 2.0
logic that this is an OpenID Connect request.
----------

Otherwise, an authorization request like "client_id=...&request(_uri)=..."
fails if the request object represents an OIDC request. An authorization
request has to look like "client_id=...&request(_uri)=...&scope=openid"
(`scope` including `openid` has to be given) even if the authorization
server conforms to JAR and allows omission of `response_type` request
parameter.

I think that implementers want to know consensus on this because it affects
implementations. Has this been discussed yet?

Best Regards,
Takahiko Kawasaki
Authlete, Inc.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to